Enterprise DLP
View Enterprise DLP Log Details
Table of Contents
View Enterprise DLP Log Details
Enterprise DLP
Log DetailsView the log details for traffic that matches your data filtering profiles on
firewalls that are using
Enterprise Data Loss Prevention (E-DLP)
on the Panorama™ management server
.Where Can I Use This? | What Do I Need? |
---|---|
|
Or any of the following licenses that include the Enterprise DLP
license
|
An
Enterprise Data Loss Prevention (E-DLP)
Incident is generated when traffic matches your Enterprise DLP
data profiles for Prisma Access (Managed by Strata Cloud Manager)
and SaaS Security
on
Strata Cloud Manager
. You can then filter and view the DLP Incident for the
detected traffic, such as matched data patterns, the source and destination of the
traffic, the file and file type. Additionally, the DLP Incident displays the specific
data pattern that the traffic matched and also displays the total number of unique and
total occurrences of those data pattern matches.You can then view this sensitive content called a
snippet
. A snippet is evidence
or identifiable information associated with a pattern match. For example, if you
specified a data pattern of Credit Card Number, the managed firewall returns the credit
card number of the user as the snippet that was matched. By default, the managed
firewall returns snippets.Strata Cloud Manager
uses data masking
to mask the data in the snippets. By
default, the DLP Incident displays the last four digits of the value in cleartext
(partial masking). For example, a DLP Incident displays a snippet of a credit card
number as XXXX-XXXX-XXXX-1234
. You can also specify the
data to be completely displayed in cleartext or to fully mask the data and hide all
values. Snippets are available for regular expression (regex)-based patterns only.
Strata Cloud Manager
Strata Cloud Manager
View the log details for traffic that matches your
Enterprise Data Loss Prevention (E-DLP)
data profiles
on Strata Cloud Manager
.- Log in toStrata Cloud Manager.
- Select.ManageConfigurationData Loss PreventionDLP Incidents
- Select aScan DateandRegionto filter the DLP Incidents.Enterprise DLPIncidents are generated in theRegionwhere the Public Cloud Server is located.ForPrisma Access (Managed by Strata Cloud Manager)andSaaS Security,Enterprise DLPautomatically resolves to the closest Public Cloud Server to where the inspected traffic originated.When a new Public Cloud Server is introduced,Enterprise DLPbegins to automatically resolve to it if it’s closer to where the inspected traffic originated.This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a differentRegion.
- Review the DLP Incidents summary information to help focus your incident investigation.These lists are updated hourly.
- Top Data Profiles to Investigate—Lists up to seven data profiles with the highest number of incidents in descending order.
- Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified Domain Names (FQDN) with the highest number of incidents in descending order.
- Sensitive Files by Action—Lists the number of incidents based on the Action taken byEnterprise DLPin descending order.
- Review the Incidents and click aFilename to review a specific incident.You canAdd New Filterto filter the DLP incidents byAction,Channel,Data ProfileorResponse Statusto search for a specific incident you want to review.
- Review the Incident Details to review specific file upload details.Make note of theReport IDfor the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.
- InfoTheInfopanel displays general information about the DLP incident.
- Channel/Source—The security endpoint usingEnterprise DLPthrough which the incident occurred.
- Incident ID—Unique ID for the DLP incident.
- Report ID—Unique ID used to view additional Traffic log details regarding the DLP incident.
- Data Profile—Data profile that traffic matched against that generated the incident.
- Data
- Asset—Name of the file containing sensitive data that generated the incident. For non-file inspection, the asset name ishttp-post-put.
- Type—File type for the file that generated the incident. For non-file inspection, the type isnon-file.
- Direction—Indicates whether the matched traffic was aDownloador anUploadwhen the incident occurred.
- Scan Date—Date and time the matched traffic was scanned and the DLP incident was generated.
- UserUser data requires integration with Cloud Identity Engine (CIE) to display. The User data displayed correspond to Palo Alto Networks Attributes that correlate to specific directory provider fields in CIE.
- User ID—ID of the user that generated the DLP incident.The User ID field does not require CIE integration. However, the corresponding Palo Alto Networks Attribute isUser Principal Name.
- Role—Role of the user that generated the DLP incident.Corresponding Palo Alto Networks Attribute isTitle.
- Organization—Organization the user that generated the DLP incident is associated with.Corresponding Palo Alto Networks Attribute isDepartment.
- Location—Location of the user that generated the DLP incident.Corresponding Palo Alto Networks Attribute isLocation.
- Manager—Manager of the user that generated the DLP incident.Corresponding Palo Alto Networks Attribute isManager.
- Session
- Device—Serial number of the firewall that blocked a file or generated an alert.
- Destination IP—Target upload or download IP address of the application or user.
- App—App ID for the target application.
- URL—Fully Qualified Domain Name (FQDN) of the target application or user.
- AnnotationsThe Annotations sections allows you to add notes and details regarding the DLP incident.Saveany annotations regarding the DLP incident so other administrators can view.
- Review the Matches within Data Profiles to review snippets of matching traffic and the data patterns that matched the traffic to better understand what data was detected.For nested data profiles, the data profile displayed is the specific nested data profile that matched the scanned traffic. For example, you create aDataProfile, with the nested profilesProfile1,Profile2, andProfile3and scanned traffic matches the nestedProfile2and is blocked. In this scenario, the data profile displayed for the incident isProfile2.
- Review the file log to learn about the traffic data for the DLP incident.
- Select.Incidents & AlertsLog Viewer
- From the Firewall drop-down, selectFile.
- Filter to view the file log for the DLP incident using the Report ID.Report ID = <report-id>
- Review the file log to learn more about the traffic data for the DLP incident.
DLP App
View the log details for traffic that matches your
Enterprise Data Loss Prevention (E-DLP)
data profiles
on the DLP app on the hub.- Log in to the DLP app on the hub.If you don’t already have access to the DLP app on the hub, see the hub Getting Started Guide. Only Superusers can access the hub.
- View the DLPIncidents.
- Select aScan DateandRegionto filter the DLP Incidents.Enterprise DLPIncidents are generated in theRegionwhere the Public Cloud Server is located.ForPanoramaandPrisma Access (Managed by Panorama), the region is determined by the currently configured Public Cloud Server. By default, theEnterprise DLPplugin is configured to resolve to the closest Public Cloud Server to where the inspected traffic originated but you can configure a static Public Cloud Server.ForStrata Cloud Manager,Enterprise DLPautomatically resolves to the closest Public Cloud Server to where the inspected traffic originated.When a new Public Cloud Server is introduced,Enterprise DLPbegins to automatically resolve to it if it’s closer to where the inspected traffic originated. ForPanoramaandPrisma Access (Managed by Panorama), this happens only if you keep the default Public Cloud Server FQDN. ForStrata Cloud Manager, this happens by default.This might mean that new DLP Incidents generated after the release of a new Public Cloud Server are generated in a differentRegion.
- Review the DLP Incidents summary information to help focus your incident investigation.These lists are updated hourly.
- Top Data Profiles to Investigate—Lists data profiles with the highest number of incidents in descending order.
- Top Sources to Investigate—Lists up to seven source IP addresses and Fully Qualified Domain Names (FQDN) with the highest number of incidents in descending order.
- Sensitive Files by Action—Lists the number of incidents based on the Action taken in descending order.
- Review the Incidents and click aFilename to review a specific incident.You can filter the DLP incidents byFile NameorReport IDto search for a specific incident you want to review.
- Review the Incident Details to review specific file upload details.Make note of theReport IDfor the DLP incident if you haven’t already done so. The Report ID is used to view additional Traffic log details regarding the DLP incident.
- Review theMatches within Data Profilesto review snippets of matching traffic and the data patterns that matched the traffic to better understand what data was detected.For nested data profiles, the data profile displayed is the specific nested data profile that matched the scanned traffic. For example, you create aDataProfile, with the nested profilesProfile1,Profile2, andProfile3and scanned traffic matches the nestedProfile2and is blocked. In this scenario, the data profile displayed for the incident isProfile2.
- In the snippet,Enterprise DLPonly masks traffic that matches the data pattern match criteria. Other sensitive data captured in the snippet are not masked if they do not match the data pattern where the snippet is displayed.
- Data pattern match criteria configured to inspect forAnyoccurrence of matched traffic display up to 3Highand 3Lowconfidence level matches if detected.
- Data pattern match criteria configured to inspect forHighconfidence level matches display up to 3Lowconfidence level matches if detected.
- Data pattern match criteria configured to inspect forLowconfidence level matches display up to 3Highconfidence level matches if detected.
Panorama
Panorama
View the log details for traffic that matches your data profiles on firewalls that
are using
Enterprise Data Loss Prevention (E-DLP)
on the Panorama™ management server
.- Log in to thePanoramaweb interface.
- SelectandMonitorLogsData FilteringFilterthe data filtering logs by entering( subtype eq dlp ).
- View more details about the file including file snippets.
- Click to the left of the specific log entry for which you want to view more details.
- SelectDLPto view the pattern details.
- Show Snippetto view a snippet of the data that matched the specific data pattern.For nested data profiles, the data profile displayed is the specific nested data profile that matched the scanned traffic. For example, you create aDataProfile, with the nested profilesProfile1,Profile2, andProfile3and scanned traffic matches the nestedProfile2and is blocked. In this scenario, the data profile displayed for the incident isProfile2.
- Review the masked snippet to understand what data was detected.